1 Reply Latest reply on Jun 22, 2010 1:56 AM by Christy Christy

    web-service authentication problem

    Christy Christy Novice

      Hi to everyone!

      I want to secure the endpoint but do not want to secure thr wsdl file. I tried to do it two ways but I can not do it.

      The first way: I tried to use annotations. This is my simple POJO web-service:

       

      @WebContext(contextRoot="/testFormats", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=false)
      @SecurityDomain("JBossWS")
      @RolesAllowed("friend")
      @WebService(
              portName = "TestFormatsPort",
              serviceName = "TestFormatsService",
              targetNamespace = "http://testservices/"      
      )
      public class TestFormatsService {
          @WebMethod
          public int getNumber(Double d) {
           /////
          }

      In this case wsdl is not secure, but the endpoint is not secure too. I can easy get access to web-service through client stubs.

       

      the second way: I did not used any annotations, I configured web.xml:

       

      <web-app version='2.4' xmlns='http://java.sun.com/xml/ns/j2ee' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd'>
      <servlet>
        <servlet-name>TestFormatsService</servlet-name>
        <servlet-class>testservices.TestFormatsService</servlet-class> 
      </servlet>
      <servlet-mapping>
        <servlet-name>TestFormatsService</servlet-name>
        <url-pattern>/*</url-pattern>
      </servlet-mapping>

      <security-constraint>
        <web-resource-collection>
         <web-resource-name>All resources</web-resource-name>
         <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
         <role-name>friend</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>BASIC</auth-method>
      </login-config>
      <security-role>
        <role-name>friend</role-name>
      </security-role>
      </web-app>

      And I configured jboss-web.xlm:


      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
        <security-domain>java:/jaas/foobar</security-domain>
      </jboss-web>

      In this case I have secured wsdl.

       

      Please help me to do the secure endpoint but not secure wsdl.

      thanks in advance

        • 1. Re: web-service authentication problem
          Christy Christy Novice

          I found the solution here, on this forum.  To secure only endpoint but not wsdl you need to secure only POST method:

           

          <security-constraint>
            <web-resource-collection>
             <web-resource-name>TestFormatsService</web-resource-name>
            
             <url-pattern>/TestFormatsService</url-pattern>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
             <role-name>friend</role-name>
            </auth-constraint>
          </security-constraint>

          <login-config>
            <auth-method>BASIC</auth-method>
          </login-config>

          <security-role>
            <role-name>friend</role-name>
          </security-role>